[jitsi-dev] securtiy issues


#1

Hello, after sending this email to her users list, without
an answer, i hope to get here answers from the Developers.

i am new to jitsi. i have some questions according the Security Features
of Jitsi.

1. in options --> Security --> chat

Fingerprint:
how is the fingerprint created. And where is my public and pricate Key?
Can i change my private key?

2. in options --> Security --> call --> ZRTP

what exactyl happen when i check "Trusted MitM" and/or "SAS signature
processing"
if it is unchecked (default) then it mean a MIM attack can happen?

3.
if i only activate "AES3" in the symmetric cipher, does it mean my
communication via video and audio
will be only encrypted with aes3?
But what happen when my communication partner only activated "TWO1" ?

4.
does the symmetric key in the ZRTP configuration also apply on the
OTR chat, or ist it only for audio and video?

Thanks a lot. And sorry for to many questions But i also didnt find
the documentation of these issues...

Regards

franzi


#2

Hi franzi,

I can help answer questions 3 and 4. Please correct me if I'm wrong.

3. If you only enable AES3, then the other side of the conversation must
also have enabled AES3 or else the cipher won't be negotiated and your call
cannot be encrypted

4. The ZRTP key is completely separate from OTR. ZRTP is for media
(audio/video) while OTR is only for chat.

Cheers,

Peter

···

On Thu, Feb 19, 2015 at 11:48 AM, franzi <franzixuanlee@gmail.com> wrote:

Hello, after sending this email to her users list, without
an answer, i hope to get here answers from the Developers.

i am new to jitsi. i have some questions according the Security Features
of Jitsi.

1. in options --> Security --> chat

Fingerprint:
how is the fingerprint created. And where is my public and pricate Key?
Can i change my private key?

2. in options --> Security --> call --> ZRTP

what exactyl happen when i check "Trusted MitM" and/or "SAS signature
processing"
if it is unchecked (default) then it mean a MIM attack can happen?

3.
if i only activate "AES3" in the symmetric cipher, does it mean my
communication via video and audio
will be only encrypted with aes3?
But what happen when my communication partner only activated "TWO1" ?

4.
does the symmetric key in the ZRTP configuration also apply on the
OTR chat, or ist it only for audio and video?

Thanks a lot. And sorry for to many questions But i also didnt find
the documentation of these issues...

Regards

franzi

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#3

Hi franzi,

1. in options --> Security --> chat Fingerprint:

how is the fingerprint created.

A public/private KeyPair is automatically generated for you by the OTR
plugin of Jitsi. The DSA algorithm is used for key generation. The
fingerprint is then calculated as a hash of the public key.

And where is my public and pricate Key?

They are stored in a configuration file that is typically in
%USER_HOME\AppData\Roaming\Jitsi on a Windows machine.

Can i change my private key?

Yes, you can. You simply have to click the "Re-generate" button and a new
public/private key pair will be generated for you.

Hope that helps!

Best regards,
Marin

···

On Thu, Feb 19, 2015 at 1:48 PM, franzi <franzixuanlee@gmail.com> wrote:

Hello, after sending this email to her users list, without
an answer, i hope to get here answers from the Developers.

i am new to jitsi. i have some questions according the Security Features
of Jitsi.

1. in options --> Security --> chat

Fingerprint:
how is the fingerprint created. And where is my public and pricate Key?
Can i change my private key?

2. in options --> Security --> call --> ZRTP

what exactyl happen when i check "Trusted MitM" and/or "SAS signature
processing"
if it is unchecked (default) then it mean a MIM attack can happen?

3.
if i only activate "AES3" in the symmetric cipher, does it mean my
communication via video and audio
will be only encrypted with aes3?
But what happen when my communication partner only activated "TWO1" ?

4.
does the symmetric key in the ZRTP configuration also apply on the
OTR chat, or ist it only for audio and video?

Thanks a lot. And sorry for to many questions But i also didnt find
the documentation of these issues...

Regards

franzi

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#4

First thanks to your answers,

but i have some more questions:

in options --> Security --> call --> ZRTP

what exactyl happen when i check "Trusted MitM" and/or "SAS signature
processing"

if it is unchecked, default, then it mean a MIM attack can happen?

thanks

···

Am 19.02.2015 um 20:36 schrieb Peter Villeneuve:

Hi franzi,

I can help answer questions 3 and 4. Please correct me if I'm wrong.

3. If you only enable AES3, then the other side of the conversation must
also have enabled AES3 or else the cipher won't be negotiated and your call
cannot be encrypted

4. The ZRTP key is completely separate from OTR. ZRTP is for media
(audio/video) while OTR is only for chat.

Cheers,

Peter

On Thu, Feb 19, 2015 at 11:48 AM, franzi <franzixuanlee@gmail.com> wrote:

Hello, after sending this email to her users list, without
an answer, i hope to get here answers from the Developers.

i am new to jitsi. i have some questions according the Security Features
of Jitsi.

1. in options --> Security --> chat

Fingerprint:
how is the fingerprint created. And where is my public and pricate Key?
Can i change my private key?

2. in options --> Security --> call --> ZRTP

what exactyl happen when i check "Trusted MitM" and/or "SAS signature
processing"
if it is unchecked (default) then it mean a MIM attack can happen?

3.
if i only activate "AES3" in the symmetric cipher, does it mean my
communication via video and audio
will be only encrypted with aes3?
But what happen when my communication partner only activated "TWO1" ?

4.
does the symmetric key in the ZRTP configuration also apply on the
OTR chat, or ist it only for audio and video?

Thanks a lot. And sorry for to many questions But i also didnt find
the documentation of these issues...

Regards

franzi

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#5

thanks,

when i go to

options --> Security --> call --> ZRTP

what are the exact names of the publicKeys

EC25
DH3K
EC38
DH2k
MULT

i suppose it will mean: DH3k --> diffihellman 3078bit key?
Are these Keys do only the Keyexchange for the symmteric key. So they
are independent of
the private keys? For example RSA use a public key and a private key and
they depend on
each other.

thanks

···

Am 19.02.2015 um 20:36 schrieb Peter Villeneuve:

Hi franzi,

I can help answer questions 3 and 4. Please correct me if I'm wrong.

3. If you only enable AES3, then the other side of the conversation must
also have enabled AES3 or else the cipher won't be negotiated and your call
cannot be encrypted

4. The ZRTP key is completely separate from OTR. ZRTP is for media
(audio/video) while OTR is only for chat.

Cheers,

Peter

On Thu, Feb 19, 2015 at 11:48 AM, franzi <franzixuanlee@gmail.com> wrote:

Hello, after sending this email to her users list, without
an answer, i hope to get here answers from the Developers.

i am new to jitsi. i have some questions according the Security Features
of Jitsi.

1. in options --> Security --> chat

Fingerprint:
how is the fingerprint created. And where is my public and pricate Key?
Can i change my private key?

2. in options --> Security --> call --> ZRTP

what exactyl happen when i check "Trusted MitM" and/or "SAS signature
processing"
if it is unchecked (default) then it mean a MIM attack can happen?

3.
if i only activate "AES3" in the symmetric cipher, does it mean my
communication via video and audio
will be only encrypted with aes3?
But what happen when my communication partner only activated "TWO1" ?

4.
does the symmetric key in the ZRTP configuration also apply on the
OTR chat, or ist it only for audio and video?

Thanks a lot. And sorry for to many questions But i also didnt find
the documentation of these issues...

Regards

franzi

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#6

First thanks to your answers,

but i have some more questions:

in options --> Security --> call --> ZRTP

what exactyl happen when i check "Trusted MitM" and/or "SAS signature
processing"

if it is unchecked, default, then it mean a MIM attack can happen?

No, on the contrary. Trusted MitM is meant for PBXs like Asterisk, which you could run on a company network and that would therefore be trustworthy. It isn't meant for the regular end user nor do I think we a possibility to enroll such a trusted party.

thanks

Ingo